Hello everyone.

It would be really helpful to know how to do this on an Ubuntu server, because Android <7.1.1 clients cannot connect anymore.

Hi @bazar welcome to the LE community forum

Please tell us more details about this problem.
What is the FQDN having trouble?
Which version of Ubuntu?
Which version of OpenSSL?
Which port(s) are they having trouble connecting to?

Thank you for prompt response.
Here are the answers:

api.simlr.net
Ubuntu 18.04.6 LTS
OpenSSL 1.1.1
port 443

I don't see anything obviously wrong with the cert there:

openssl s_client -connect api.simlr.net:443 -servername api.simlr.net
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.simlr.net
verify return:1
---
Certificate chain
 0 s:CN = api.simlr.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

It is using the longer trust path (that allows older Android systems access).
If you don't need to service any such systems, you can switch to the shorter, and newer, chain in one of two ways:
[presuming you are using a relatively new version of certbot]

• reissuing a cert with the added parameter --preferred-chain "ISRG Root X1"
  [which should them be saved and used during subsequent renewals]
• manually modify the current fullchain.pem file; removing the last cert

I do need to service older Android systems, but now they cannot connect, and I'm trying to solve it.

Is that now now OR just now OR the now before now?

Have you changed anything?

Since September 30 2021.

There must be something wrong with your Andoid devices.
Using Android 4.4.2, I can connect to: https://api.simlr.net/
It says:

400 Bad Request

But it connects without a certificate issue.

On an Android 5 device, I can open this link via a browser, but the Flutter app cannot connect to this address, though it could connect before September 30.

@bazar
Are you sure the flutter app connects to the same port 443?

I don't see any related issues at: Issues · flutter/flutter · GitHub

Definitely.

@bazar
Then the (client) app definitely must bring along it's own way to connect (dlls, etc.)
Which are incompatible with the cert being served.
Other than the Flutter client app, do any other Androids connect to that same point (https://api.simlr.net/)?

Nope, only the Flutter app.

Great.
Let's make them all work!

Please show the web vhost config file for: api.simlr.net:443

532 posts were merged into an existing topic: Help thread for DST Root CA X3 expiration (September 2021)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Hello everyone!

If I understand correctly, Android >= 2.3.6 should still work thanks to cross-sign? But my Flutter app cannot connect on Android versions prior 7.1.1 since Sep. 30. Says that certificate has expired.

Lots of messages there, but still unclear what can be done on the server to continue support old (but newer than 2.3.6) Android clients. I'm running an Ubuntu server with certbot. I already told users to update Android, but this option is not always available. It should be possible to solve this issue server-side.

How was the Flutter app TLS enabled?
Which certbot files does it now use?

The app uses dart HttpClient class.
The docs say that HTTPS will work automatically if the server's certificate is signed by a root CA (certificate authority) on the default list of well-known trusted CAs, compiled by Mozilla. Is it the case?

I didn't understant your second question about certbot files. Could you elaborate?

Well that likely depends on which version of Mozilla trusted root store you are using.
If it is relatively new, then I suppose, yes.

Which ACME client are you using to get certs?
Which of those files does Flutter use to encrypt with?